From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 4E8A7138334 for ; Mon, 4 Feb 2019 14:25:47 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 269E8E0BC7; Mon, 4 Feb 2019 14:25:46 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id EA023E0A07 for ; Mon, 4 Feb 2019 14:25:45 +0000 (UTC) Received: from [192.168.1.100] (c-98-218-46-55.hsd1.md.comcast.net [98.218.46.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: mjo) by smtp.gentoo.org (Postfix) with ESMTPSA id 61FA23407E6 for ; Mon, 4 Feb 2019 14:25:44 +0000 (UTC) Subject: Re: [gentoo-project] [RFC] New project: GURU [Gentoo User Repository, Unreviewed] To: gentoo-project@lists.gentoo.org References: <1549222129.929.25.camel@gentoo.org> <20190204115813.7382eb4d@gentoo.org> <1549286908.893.5.camel@gentoo.org> <3a5fba8f-9898-05d0-d20a-6aa19eb4164b@gentoo.org> <1549288947.893.15.camel@gentoo.org> From: Michael Orlitzky Message-ID: Date: Mon, 4 Feb 2019 09:25:38 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Project discussion list X-BeenThere: gentoo-project@lists.gentoo.org Reply-To: gentoo-project@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 In-Reply-To: <1549288947.893.15.camel@gentoo.org> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Archives-Salt: eefc0a6d-2ab4-4e39-8499-08ed7c3d6e98 X-Archives-Hash: e18332cd1ada8d988ddd059d1629da25 On 2/4/19 9:02 AM, Michał Górny wrote: > > What is that reason? How is 'blindly accepting community contributions' > different from 'blindly accepting new developers'? In the former case, > at least we're not pretending things are secure when they're not. > The difference is the amount of effort and foresight involved (which, by the way, increases with the recent WoT proposal). It took a few months worth of nights and weekends to become a developer. Yes, I can commit something malicious -- it will work, and then my credentials will be revoked. Now if I want to do it again, I have to come up with a fake name and fake online identity, and then spend at least a couple weeks re-earning my developer status. As lots of potential developers (including myself at one time) have pointed out, that all sucks and nobody wants to do it. But, with an "official" completely unreviewed repository, I can compromise everyone who uses it immediately and then do the same thing again tomorrow. I still think there's some value to it, but it can't be completely unreviewed and also occupy the same keyword space.